[lg policy] (no subject)

[Harold Schiffman]

DoD should use third-party cybersecurity assessments for its vendors
By Leslie Weinstein <https://federalnewsnetwork.com/author/commentator/>
June 11, 2019 12:20 pm

4 min read
13 Shares

In the wake of so many high-profile hacks and compromises it seems that no
one is safe from a determined malicious cyber threat actor. Should we
simply accept that data compromises are the norm and focus on developing
coping mechanisms? No!

When implemented properly, data protection strategies work. The question is
how can the small- and medium-sized businesses that are part of the Defense
Industrial Base (DIB) do that?

While systems and data will always face the risk of hacking, it is possible
to reduce the risk of becoming the victim of a malicious cyber actor by
following basic cybersecurity guidelines. To this end, for nearly 20 years,
the US government and other oversight bodies have been issuing
cybersecurity guidelines and regulations.

But guidelines and regulations have not been enough to protect the DIB. A
recent Interagency Task Force report to the White House report identified
three key reasons for continued cybersecurity risks:

   1. Lack of uniform security implementation
   2. Inconsistent implementation of adequate security among defense
   suppliers;
   3. Reliance on self-attestation of adherence to government cybersecurity
   standards
   <https://s3.amazonaws.com/static.militarytimes.com/assets/eo-13806-report-final.pdf,>
   .

These risks can be mitigated by requiring third-party network assessments
and certifications of vendor networks.

        Insight by Carbon Black: Learn best practices for cyber threat
hunting, compliance and cyber data analytics in this exclusive executive
briefing.
<https://federalnewsnetwork.com/federal-insights-analysis/2019/06/executive-briefing-series-cyber-threat-hunting/?utm_source=federalnewsnetwork.com_in-articlepromo&utm_medium=referral&utm_campaign=carbon%20black&utm_content=in-articlepromo>

In fact, Defense Federal Acquisition Regulation Supplement (DFARS) 252.204
already requires that all contractor and sub-contractor networks which
process, store or transmit Controlled Unclassified Information meet the minimum
cybersecurity standards
<https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm> listed in
the National Institute of Standards and Technology Special Publication
800-171. But, the Defense Department does not currently have the manpower
or budget to assess and certify that every vendor meets the DFARS
cybersecurity standards. The DoD should, through policy, enable and require
third-party assessment and certification of the Defense Industrial Base
networks covered under the DFARS language. This policy would ensure
compliance with DFARS cybersecurity regulations without burdening DoD with
any additional manpower or capabilities requirements.
Third-party DIB assessments

Moreover, DoD can leverage a model that the Health Information Trust
(HITRUST) Alliance has created by establishing a cybersecurity controls
framework, enabling third-party compliance assessments, and developing a
process by which to certify that networks are in compliance with the
established cybersecurity framework. Since 2007, HITRUST has been assisting
vendors with compliance to government and industry cybersecurity
regulations. The DoD should leverage HITRUST’s approach and implement a
similar model for the DIB.

Related Stories

   - Why the Navy is giving agencies, industry a much-needed wake-up call
   on supply chain risksAcquisition
   <https://federalnewsnetwork.com/acquisition/2019/04/navy-giving-agencies-industry-much-needed-wake-up-call-on-supply-chain-risks/>
   - New task force aims to help defense contractors comply with
   cybersecurity standardsFederal Drive
   <https://federalnewsnetwork.com/federal-drive/2019/05/new-task-force-aims-to-help-defense-contractors-comply-with-cybersecurity-standards/>
   - Pentagon planning new steps to shore up smaller suppliers’
   cybersecurityDefense
   <https://federalnewsnetwork.com/defense-main/2019/01/pentagon-planning-new-steps-to-shore-up-smaller-suppliers-cybersecurity/>

DoD has already completed the first step, by establishing a cybersecurity
controls framework, and is compulsory under the DFARS language. And like
HITRUST, the DoD can and should approve organizations to perform
assessments of the DIB networks. HITRUST has approved 80 organizations to
conduct assessments in accordance with their risk management framework.
Much like the DoD publishes a list of approved baseline cybersecurity
certifications for the DoD cybersecurity workforce, the DoD could similarly
vet and publish a list of organizations approved to conduct DoD DFARS
assessments <https://iase.disa.mil/iawip/Pages/iabaseline.aspx>. Assessments
should be required of all DIB networks covered by the DFARS language, and
the assessment results should be made available to the DoD during the
contracting process.

Initially, small and medium sized companies may view such assessments as a
barrier to entry, but failing to have the necessary cybersecurity
protections in place is a much bigger issue that will actually prevent such
firms from competing in the future. Cybersecurity compliance cannot be done
on the cheap, because the information shared by DoD is critical. And if a
vendor cannot afford to properly implement cybersecurity controls, then
they should not be allowed to process, possess or access government
information on their networks.
Certification is a big challenge

The biggest challenge in adopting the HITRUST approach to risk management
and compliance, would be their certification process. Tiger Connect, a
vendor that was recently certified by HITRUST, claims that HITRUST’s
certification process took more than seven months and involved several
rounds of audits and corrections
<https://www.tigerconnect.com/blog/what-tigertexts-hitrust-certification-means-for-you/>.
The expense and time involved in that type of certification process may
initially be too expensive for small to medium sized companies within the
DIB. Moreover, unlike HITRUST, DoD does not have the resources to directly
conduct network certifications.

ADVERTISEMENT
In light of this, DoD should develop policies to allow third parties to
certify networks as being compliant. And as DoD gains experience and more
firms enter the market for cybersecurity certification, the cost and time
burden of obtaining a DFARS certification should also drop. Initially,
however, large DIB enterprise networks should be able to readily afford and
attain a DFARS certification, and should be expected to do so.

        Subscribe to Federal News Network's Morning Federal Report and In
Case You Missed it newsletters and be the first to read the latest from
Mike Causey, Tom Temin, and the most important issues facing federal
managers and government agencies.
<https://federalnewsnetwork.com/email-alerts/>

The DoD already has the necessary tools to implement a network assessment
and certification policy to significantly reduce the risk of data
compromises among the DIB. Ultimately, the DoD should take action to both
require a network assessment before the bidding process, and also ensure
that post contract award all large enterprise networks achieve network
certification.

*Leslie Weinstein is an Army Reserve officer and DoD policy consultant, and
is writing a white paper on defense industrial base cybersecurity issues.*

*Copyright © 2019 Federal News Network. All rights reserved. This website
is not intended for users located within the European Economic Area.*


-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

 Harold F. Schiffman

Professor Emeritus of
 Dravidian Linguistics and Culture
Dept. of South Asia Studies
University of Pennsylvania
Philadelphia, PA 19104-6305

Phone:  (215) 898-7475
Fax:  (215) 573-2138

Email:  haroldfs at gmail.com
http://ccat.sas.upenn.edu/~haroldfs/

-------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listserv.linguistlist.org/pipermail/lgpolicy-list/attachments/20190612/3e1d8d14/attachment.htm>
-------------- next part --------------
_______________________________________________
This message came to you by way of the lgpolicy-list mailing list
lgpolicy-list at groups.sas.upenn.edu
To manage your subscription unsubscribe, or arrange digest format: https://groups.sas.upenn.edu/mailman/listinfo/lgpolicy-list